The Problem
In industrial environments, the "Air-Gap" is a myth as long as USB drives exist. Removable media remains the primary bridge for malicious logic (Stuxnet, etc.). Standard AV often misses the subtle indicators of industrial protocol manipulation or high-entropy obfuscation hidden in legitimate vendor installers.
Introducing Guardian-OT
I built Guardian-OT to provide a minimalist, high-signal audit of any drive before it touches a critical engineering workstation. It’s a part of my long-term journey into Operational Technology security.
Key Technical Pillars
Hardware Fingerprinting (Anti-Spoofing)
Instead of trusting the filesystem, the tool extracts the USB Hardware UUID and maps it against a local SQLite Vault. If the ID is unknown or doesn't match the expected hardware, the audit flags it immediately.Recursive Integrity Vault
Using a tree-hashing algorithm, the tool verifies every bit on the drive. If a single file has been modified since the last "known-good" scan, it triggers a deep forensic audit.Deep Forensic Pipeline
YARA Scanning: Hunts for ICS-specific strings (Modbus, S7Comm, Ethernet/IP).
Entropy Analysis: Scores files from 0.0 to 8.0. Anything above 7.8 (like encrypted payloads or packed executables) is isolated for manual review.
Magic Number Validation: Detects header/extension mismatches used to disguise scripts as documents.
The Researcher Dashboard
I integrated a Streamlit-based dashboard to turn raw JSON forensic data into actionable intelligence. It allows for rapid triage, separating 1,000+ standard assets from the 10-20 "Suspicious" items that actually require a human eyes-on approach.
Why I'm Building This
As I work through my 4-6 year roadmap toward becoming an ICS/OT Security Researcher, I want to move beyond using tools and start building them. Guardian-OT is the first step in creating a resilient, reproducible forensic workflow for industrial environments.
Check out the project on GitHub: https://github.com/404saint/guardian-ot
Top comments (0)